<html>
<head><meta charset="utf-8"><title>Writing into uninit structs · t-lang/wg-unsafe-code-guidelines · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/index.html">t-lang/wg-unsafe-code-guidelines</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Writing.20into.20uninit.20structs.html">Writing into uninit structs</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="185694840"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Writing%20into%20uninit%20structs/near/185694840" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Elichai Turkel <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Writing.20into.20uninit.20structs.html#185694840">(Jan 15 2020 at 13:00)</a>:</h4>
<p>Hi, this look like it should be UB but Miri doesn't complain and it seems like <code>Rc</code> is doing similar stuff: <a href="https://play.rust-lang.org/?gist=51690e4dd9d723e5b64b6a37280aa5ae" target="_blank" title="https://play.rust-lang.org/?gist=51690e4dd9d723e5b64b6a37280aa5ae">https://play.rust-lang.org/?gist=51690e4dd9d723e5b64b6a37280aa5ae</a><br>
thoughts? (if this isn't the place for questions like that please tell me :) )</p>



<a name="185695684"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Writing%20into%20uninit%20structs/near/185695684" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Elichai Turkel <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Writing.20into.20uninit.20structs.html#185695684">(Jan 15 2020 at 13:11)</a>:</h4>
<p>Ha! found it! <a href="https://github.com/rust-lang/unsafe-code-guidelines/issues/77" target="_blank" title="https://github.com/rust-lang/unsafe-code-guidelines/issues/77">https://github.com/rust-lang/unsafe-code-guidelines/issues/77</a> I remember these things were talked about in the group.<br>
most of the talk seem to be on uninhabitable types though</p>



<a name="185714491"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Writing%20into%20uninit%20structs/near/185714491" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Writing.20into.20uninit.20structs.html#185714491">(Jan 15 2020 at 16:25)</a>:</h4>
<p>yeah Miri doesnt currently check that references point to something valid</p>



<a name="185814672"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Writing%20into%20uninit%20structs/near/185814672" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Elichai Turkel <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Writing.20into.20uninit.20structs.html#185814672">(Jan 16 2020 at 13:34)</a>:</h4>
<p><span class="user-mention" data-user-id="120791">@RalfJ</span> Is that valid though? Because my example is a simple variation of what happens when You call <code>Rc::new_uninit()</code></p>



<a name="185839980"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Writing%20into%20uninit%20structs/near/185839980" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Writing.20into.20uninit.20structs.html#185839980">(Jan 16 2020 at 17:45)</a>:</h4>
<p>Well, you've found <a href="https://github.com/rust-lang/unsafe-code-guidelines/issues/77" target="_blank" title="https://github.com/rust-lang/unsafe-code-guidelines/issues/77">https://github.com/rust-lang/unsafe-code-guidelines/issues/77</a></p>



<a name="185839986"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Writing%20into%20uninit%20structs/near/185839986" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Writing.20into.20uninit.20structs.html#185839986">(Jan 16 2020 at 17:45)</a>:</h4>
<p>so, as you can see -- the discussion is still open</p>



<a name="185840017"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Writing%20into%20uninit%20structs/near/185840017" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Writing.20into.20uninit.20structs.html#185840017">(Jan 16 2020 at 17:46)</a>:</h4>
<p>for now we should assume it to be not allowed, but also gather good use-cases for allowing references that are aligned and dereferencable but point to invalid data</p>



<a name="185916587"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Writing%20into%20uninit%20structs/near/185916587" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Elichai Turkel <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Writing.20into.20uninit.20structs.html#185916587">(Jan 17 2020 at 13:44)</a>:</h4>
<p><span class="user-mention" data-user-id="120791">@RalfJ</span> well in the Rc case we could just replace with alloc_zeroed, right? that way the usize's aren't invalid anymore because 0 is a valid usize and then you the reference points to a zeroed struct full of zero allowed primitives except the last one T which is inside a MaybeUninit so that's fine.</p>



<a name="185945009"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Writing%20into%20uninit%20structs/near/185945009" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Writing.20into.20uninit.20structs.html#185945009">(Jan 17 2020 at 18:47)</a>:</h4>
<p>well sure, but should it really be necessary to zero-init things?</p>



<a name="185945016"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Writing%20into%20uninit%20structs/near/185945016" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Writing.20into.20uninit.20structs.html#185945016">(Jan 17 2020 at 18:48)</a>:</h4>
<p>sorry I also lost context here, not sure what the question/goal is^^</p>



<a name="185991128"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Writing%20into%20uninit%20structs/near/185991128" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Elichai Turkel <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Writing.20into.20uninit.20structs.html#185991128">(Jan 18 2020 at 11:16)</a>:</h4>
<p>Sorry. I'll try to be focused and concise.<br>
A. Seems like there's no agreement if that's allowed but it might not be.<br>
B. If it might not be allowed why Rc doesn't just zeroize the memory so it would be valid (or maybe they see no reason to do that until there's a decision on validity?)</p>



<a name="186034384"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Writing%20into%20uninit%20structs/near/186034384" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> comex <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Writing.20into.20uninit.20structs.html#186034384">(Jan 19 2020 at 10:08)</a>:</h4>
<p>Zero-init is undesirable because it has performance cost.  If it is decided that whatever Rc is doing is illegal (I haven’t looked), it should be fixed, but in a way that’s zero-overhead, using MaybeUninit or something.  That said, since Rc is in the standard library which is versioned along with the compiler, it’s not super urgent to fix theoretical UB if it’s known that the current compiler doesn’t exploit it.  Which is not to say it’s not important, if only because people will reference the standard library when making their own types.</p>



<a name="186036052"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Writing%20into%20uninit%20structs/near/186036052" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Elichai Turkel <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Writing.20into.20uninit.20structs.html#186036052">(Jan 19 2020 at 11:04)</a>:</h4>
<blockquote>
<p>Zero-init is undesirable because it has performance cost.  If it is decided that whatever Rc is doing is illegal (I haven’t looked), it should be fixed, but in a way that’s zero-overhead, using MaybeUninit or something.  That said, since Rc is in the standard library which is versioned along with the compiler, it’s not super urgent to fix theoretical UB if it’s known that the current compiler doesn’t exploit it.  Which is not to say it’s not important, if only because people will reference the standard library when making their own types.</p>
</blockquote>
<p>Well right now rust doesn't let you calculate fields offsets in a "safe" way (at least that what the debate is rn)</p>



<a name="186050043"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Writing%20into%20uninit%20structs/near/186050043" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> centril <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Writing.20into.20uninit.20structs.html#186050043">(Jan 19 2020 at 18:24)</a>:</h4>
<blockquote>
<p>if only because people will reference the standard library when making their own types.</p>
</blockquote>
<p>I feel we need to raise more awareness that this is a bad idea and double down more on documenting the specialness of assumptions that the standard library makes in <code>// SAFETY</code> comments</p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>